Permissions Management
If you need to grant your enterprise personnel permission to access your SWR resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users and grant them permission to access only specific resources. For example, if you want some software developers in your enterprise to use SWR resources but do not want them to delete the resources or perform any other high-risk operations, you can grant permission to use SWR resources but not permission to delete them.
If your Huawei Cloud account does not require individual IAM users for permissions management, you can skip this section.
IAM is a free service. You only pay for the resources in your account.
SWR Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. In this way, the users can inherit permissions from the groups and perform operations on specific cloud resources.
SWR is a project-level service deployed for specific regions. To assign SWR permissions to a user group, specify the scope as region-specific projects,and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing SWR, the users need to switch to the authorized region.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. This mechanism provides a limited number of service-level roles for authorization. Cloud services often depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least permission access.
- Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant IAM users only permission to manage a certain type of ECSs.
System-defined policies and roles of SWR are described in Table 1 and Table 2.
|
Name |
Description |
Type |
|---|---|---|
|
SWR FullAccess |
Full permissions for SWR |
System-defined policy |
|
SWR OperateAccess |
Operation permissions for SWR |
System-defined policy |
|
SWR ReadOnlyAccess |
Read-only permission for SWR |
System-defined policy |
|
Name |
Description |
Type |
|---|---|---|
|
SWR Admin |
SWR administrator permissions, including all SWR permissions |
System-defined role |
|
Tenant Administrator |
Administrator permissions for all services except IAM, including all SWR permissions |
System-defined role |
|
ServiceStage Developer |
ServiceStage developer permissions, including permissions such as image pull |
System-defined role |
Table 3 lists the common operations supported by system-defined permissions for SWR.
|
Operation |
SWR FullAccess |
SWR OperateAccess |
SWR ReadOnlyAccess |
SWR Admin |
Tenant Administrator |
|---|---|---|---|---|---|
|
Uploading/Pushing an image |
√ |
√ |
x |
√ |
√ |
|
Downloading/Pulling an image |
√ |
√ |
√ |
√ |
√ |
|
Adding a trigger |
√ |
√ |
x |
√ |
√ |
|
Modifying an image |
√ |
√ |
x |
√ |
√ |
|
Sharing an image |
√ |
√ |
x |
√ |
√ |
|
Assigning permissions |
√ |
√ |
x |
√ |
√ |
|
Deleting an image or a tag |
√ |
√ |
x |
√ |
√ |
|
Creating an organization |
√ |
√ |
x |
√ |
√ |
|
Deleting an organization |
√ |
√ |
x |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
